With the ever-increasing number of high-profile data breaches and cyber attacks, you would think that it would be fairly easy to convince your executives to invest in cybersecurity. However, as every IT decision maker knows, it just doesn’t work like that.
For most people, executives included, until the problem is staring them in the face it is all too easy for them to convince themselves that it just won’t happen to them, or that they are already doing enough.
In the world of digital security, however, there is no such thing as ‘enough’: threats are constantly evolving and finding new ways into previously secure systems, so only continuous work and investment can keep your business safe.
There are three key approaches to take to help your executives see the light when it comes to cybersecurity: using measurable success metrics, conducting real-world demonstrations, and talking about cold hard cash.
Steer clear of fear and define success
While news stories about corporations brought to their knees by cyber attacks can prompt a bit of a spending spree, they don’t tend to result in long-term investment. For that, you need to be able to demonstrate continuing progress, as well as continuing need.
To that end, you need to define success for your IT team, and not just in the most obvious ‘200 days since last data breach’ sort of way; that just reinforces the view that you are doing ‘enough’.
Instead, have your security professionals constantly conduct penetration tests, patching exploits, and closing holes as they are found. Use the number of vulnerabilities fixed as your continuing metric to show that no matter how much you do, the rapidly evolving nature of digital business (as well as digital threats) means that new vulnerabilities are always evolving, so constant investment is needed to keep your team plugging the holes as they appear.
Conduct some ‘real world’ tests
Fundamentally, the vast majority of breaches are still caused by the age-old tactic of social engineering, for which most people believe that they are too smart to fall.
While it can be a bit of a questionable career move to humiliate your executives, you can conduct a ‘real world’ experiment and send manufactured phishing emails, fake unsafe links, or attachments from unknown emails addresses to key decision makers in your company, and track how many of them fall for the simple tricks. You might not make any friends, but you will demonstrate the need for security in real terms.
Talk about the bottom line
At the end of the day, people at the top of businesses respond most keenly to discussions surrounding the impact of something on the bottom line, so you need to show them that poor security can cost much more than investment. You could talk about the cost of a data breach itself, but that is nebulous. Instead, look to the upcoming GDPR, which promises up to €20 million or 4% of global turnover to firms who fail to properly secure sensitive data.
Even with these tips, convincing executives is no easy task: but you don’t have to do it alone. Contact Ross Clifford & Associates to help alleviate the senior digital resource shortfalls and enable you to overcome these important issues.
Central London (WFH), £300 p/d. Initial 3-6mth contract. Expected to roll.
Central London (WFH), £70k
Central London (WFH), £80k + Bens
Central London (WFH), to £35k + Excellent Bens. (Freelance £250 p/d).
Central London, £45k + Excellent Bens - 6 mth FTC (expected to roll to Perm)
Central London, DOE